From fd8d3f1fb7b592ee5b6bc6e2708fb342a649bf93 Mon Sep 17 00:00:00 2001
From: Yik Teng Hie <netyth@gmail.com>
Date: Sun, 3 Sep 2023 15:11:49 +0800
Subject: [PATCH] add sftp server setup

---
 sftp-server.md | 74 ++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 74 insertions(+)
 create mode 100644 sftp-server.md

diff --git a/sftp-server.md b/sftp-server.md
new file mode 100644
index 0000000..4bdec53
--- /dev/null
+++ b/sftp-server.md
@@ -0,0 +1,74 @@
+# sftp configurstion
+
+* [Reference](https://www.thegeekstuff.com/2012/03/chroot-sftp-setup/)
+
+## Steps
+
+1. Create a New Group
+    ```sh
+    $ groupadd sftpusers
+    ```
+
+2. Create Users
+   ```sh
+   # create guestuser
+   $ useradd -g sftpusers -d /incoming -s /sbin/nologin guestuser
+
+   # change guestuser password
+   $ passwd guestuser
+
+   # verify creation
+   $ grep guestuser /etc/passwd
+
+   # modify an existing user. eg john
+   $ usermod -g sftpusers -d /incoming -s /sbin/nologin john
+   ```
+
+3. Setup `sshd_config`
+```sh
+$ nano /etc/ssh/sshd_config
+```
+
+* Comment out `Subsystem sftp /usr/libexec/openssh/sftp-server`. Add the following
+
+```txt
+#Subsystem sftp /usr/libexec/openssh/sftp-server
+Subsystem sftp internal-sftp
+
+Match Group sftpusers
+  ChrootDirectory /sftp/%u
+  ForceCommand internal-sftp
+
+```
+
+4. Create sftp home dirctory
+```sh
+$ mkdir /sftp
+$ mkdir /sftp/guestuser
+$ mkdir /sftp/guestuser/incoming
+
+# set folder ownership
+$ chown guestuser:sftpusers /sftp/guestuser/incoming
+
+# verify ownership
+$ ls -ld /sftp/guestuser/incoming
+drwxr-xr-x 2 guestuser sftpusers 4096 Dec 28 23:49 /sftp/guestuser/incoming
+
+$ ls -ld /sftp/guestuser
+drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp/guestuser
+
+$ ls -ld /sftp
+drwxr-xr-x 3 root root 4096 Dec 28 23:49 /sftp
+
+```
+
+5. Restart sshd
+```sh
+$ service sshd restart
+```
+
+6 Test setup
+```sh
+# user should only able to access the incoming folder as root level
+$ sftp guestuser@192.168.0.222
+```